ESXi Updates for Cloud Foundation for Service Providers fails during upload
search cancel

ESXi Updates for Cloud Foundation for Service Providers fails during upload

book

Article ID: 330377

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

Symptoms:
  • The SSL Certificates were updated in the vSphere deployment.
  • Attempting to apply the updates to ESXi host fail, you see errors similar to:
    ...
          {
            "bundleId": "6230de15-46e7-4623-a0be-4a07dcf17e8b",
            "bundleElementId": "4bf37a6a-3150-463f-9cab-144b54aafb4f",
            "bundleElementOrder": 1,
            "resourceType": "ESX_HOST",
            "resourceId": "ff7862c1-dacd-11e7-815a-93f8572d9e8d",
            "upgradeId": "ee276890-9095-465c-a681-d2b4a6a9679e",
            "upgradeStatus": "COMPLETED_WITH_FAILURE",
            "upgradeError": {
              "errorType": "RECOVERABLE",
              "stage": "ESX_UPGRADE_VUM_STAGE_UPLOAD_FILES",
              "errorCode": "ESX_UPGRADE_VUM_FAILED_UPLOAD",
              "errorDescription": "",
              "metadata": "\nThe upload of ESXi update bits failed.\nUpgrade failed. Auto-recovery attempt failed as well. Manual intervention needed.\nCheck for errors in the lcm log files located on server 127.0.0.1 under /home/vrack/lcm/logs\nLCM will bring the domain back online once problems found in above steps are fixed manually. Please retry the upgrade once the upgrade is available again."
            }
    ...

     
  •  On the node manager /home/vrack/lcm/logs/lcm.log, you see entries similar to:

    2017-12-11 17:44:08.546 [ThreadPoolTaskExecutor-4] DEBUG [com.vmware.evo.sddc.lcm.primitive.impl.esx.EsxVumUpdateStageRunnerImpl]  upgradeId=ee276890-9095-465c-a681-d2b4a6a9679e,resourceType=ESX_HOST,resourceId=ff7862c1-dacd-11e7-815a-93f8572d9e8d,bundleElementId=4bf37a6a-3150-463f-9cab-144b54aafb4f Uploading /mnt/lcm-bundle-repo/6230de15-46e7-4623-a0be-4a07dcf17e8b/bundle-889/ESXi650-201710001.zip to VUM
    2017-12-11 17:44:08.549 [ThreadPoolTaskExecutor-4] INFO  [com.vmware.evo.sddc.lcm.client.vmware.vum.utils.FileUploadHelper]  upgradeId=ee276890-9095-465c-a681-d2b4a6a9679e,resourceType=ESX_HOST,resourceId=ff7862c1-dacd-11e7-815a-93f8572d9e8d,bundleElementId=4bf37a6a-3150-463f-9cab-144b54aafb4f Uploading file to VUM: /mnt/lcm-bundle-repo/6230de15-46e7-4623-a0be-4a07dcf17e8b/bundle-889/ESXi650-201710001.zip
    2017-12-11 17:44:08.549 [ThreadPoolTaskExecutor-4] DEBUG [com.vmware.evo.sddc.lcm.client.vmware.vum.utils.FileUploadHelper]  upgradeId=ee276890-9095-465c-a681-d2b4a6a9679e,resourceType=ESX_HOST,resourceId=ff7862c1-dacd-11e7-815a-93f8572d9e8d,bundleElementId=4bf37a6a-3150-463f-9cab-144b54aafb4f Logging into VUM File upload server @ https://s603107ch3vc01.dccf.s603107.io:9087/vum-fileupload/login/
    2017-12-11 17:44:08.679 [ThreadPoolTaskExecutor-4] ERROR [com.vmware.evo.sddc.lcm.primitive.impl.esx.EsxVumUpdateStageRunnerImpl]  upgradeId=ee276890-9095-465c-a681-d2b4a6a9679e,resourceType=ESX_HOST,resourceId=ff7862c1-dacd-11e7-815a-93f8572d9e8d,bundleElementId=4bf37a6a-3150-463f-9cab-144b54aafb4f Failed to upload file(s) to VUM: {}
    org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://s603107ch3vc01.dccf.s603107.io:9087/vum-fileupload/login/": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
            at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:666)
            at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:613)
            at org.springframework.web.client.RestTemplate.postForEntity(RestTemplate.java:407)
            at com.vmware.evo.sddc.lcm.client.vmware.vum.utils.FileUploadHelper.login(FileUploadHelper.java:96)
            at com.vmware.evo.sddc.lcm.client.vmware.vum.utils.FileUploadHelper.upload(FileUploadHelper.java:134)
            at com.vmware.evo.sddc.lcm.primitive.impl.esx.EsxVumUpdateStageRunnerImpl.doUpload(EsxVumUpdateStageRunnerImpl.java:627)
            at com.vmware.evo.sddc.lcm.primitive.impl.esx.EsxVumUpdateStageRunner.doStage(EsxVumUpdateStageRunner.java:79)
            at com.vmware.evo.sddc.lcm.primitive.impl.esx.EsxVumPrimitiveImpl.runUpgrade(EsxVumPrimitiveImpl.java:288)
            at com.vmware.evo.sddc.lcm.primitive.impl.esx.EsxVumPrimitiveImpl.startOrResumeUpgrade(EsxVumPrimitiveImpl.java:170)
            at com.vmware.evo.sddc.lcm.primitive.impl.esx.EsxVumPrimitiveImpl.postUpgrade(EsxVumPrimitiveImpl.java:139)
            at com.vmware.evo.sddc.lcm.orch.PrimitiveService.postUpgrade(PrimitiveService.java:192)
            at com.vmware.evo.sddc.lcm.orch.PrimitiveService$$FastClassBySpringCGLIB$$aff213fb.invoke(<generated>)
            at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
            at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:738)
            at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
            at org.springframework.aop.interceptor.AsyncExecutionInterceptor$1.call(AsyncExecutionInterceptor.java:115)
            at java.util.concurrent.FutureTask.run(FutureTask.java:266)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
            at java.lang.Thread.run(Thread.java:748)
    Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
            at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
            at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
            at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
            at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
            at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
            at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
            at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
            at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
            at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
            at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
            at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
            at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
            at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
            at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
            at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
            at org.springframework.http.client.SimpleBufferingClientHttpRequest.executeInternal(SimpleBufferingClientHttpRequest.java:78)
            at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
            at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53)
            at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:652)
            ... 19 common frames omitted
    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
            at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
            at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
            at sun.security.validator.Validator.validate(Validator.java:260)
            at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
            at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
            at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
            at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
            ... 33 common frames omitted
    Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
            at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
            at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
            at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
            at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
            ... 39 common frames omitted


Cause

The SDDC manager is unable to transfer the appropriate updates to VUM so they can be applied, since it does not trust the certificate installed.

Resolution

To resolve this issue, revert the changes to the certificates or install trusted certificates.